Fake Antivirus: Win 8 Security System

Microsoft is planning to release Windows 8 towards October end and malware authors already started with their development of Win8 Rogue Antivirus called Win8 Security System.

Win8 Security system is of Rogue Braviax family. What makes it special is the fact that its removal is extremely difficult. Win8 Security system drops a rootkit of Nercus family into drivers folder and run as a service which hides the presence of the rogue program files and processes from Windows making it more difficult for Security products to detect its files and remove them.

Fig1: Fake Scan result

The malware produces a list of Fake scan results shown above to scare the victim and lure him into trick of registering and purchasing its full version via online bank transaction.

Fig2: Alert at Taskbar


Fig3: Fake scan result warning message


Fig 4: Rogue asking victim to purchase Full version


Win8 Security System uses its rootkit component file to hijack Internet Explorer and Google Chrome to display fake security warning messages when you try to browse the Internet:

Fig 5: Browser Hijack

Files Added by Win8 Security System

%LocalAppData%<random numbers and characters>.exe
%StartMenu%ProgramsWin 8 Security System
%StartMenu%ProgramsWin 8 Security SystemBuy Win 8 Security System.lnk
%StartMenu%ProgramsWin 8 Security SystemLaunch Win 8 Security System.lnk
%System%drivers<random numbers and characters>.sys
%UserProfile%DesktopBuy Win 8 Security System.lnk

Quick View of Dropped LNK file

Shortcut files dropped by Win8 Security System on Start Menu folder and on Desktop have link to reg.exe. When the victim clicks on, for example, Buy Win 8 Security System shortcut, a harmless registry entry is created, which is monitored by the rootkit.

Fig6: Lnk file pointing reg.exe

Target pointed:

C:WINDOWSsystem32reg.exe add “HKCUSOFTWAREMicrosoftWindows NT” /v FrameworkBuild /t REG_DWORD /d 0 /f

In order to prevent situations like this Total Defense Research Team recommends you to:

•    Enable a firewall on your computer.
•    Get the latest computer updates for all your installed software.
•    Use up-to-date antivirus software.
•    Limit user privileges on the computer (don’t logon as the Administrator).
•    Use caution when opening attachments and accepting file transfers.
•    Use caution when clicking on unsolicited links to webpage’s.
•    Avoid downloading pirated software.